Windows automatic update recommendations

[Xaqte]

I'm trying to sway some certain individuals into disabling automatic updates on our Web servers. Personally, I know how critical this is for any server... none the less high traffic web servers.

I need to find solid information on the web supporting my cause, and I knew I could count on the members here in backing me on this.

Also, what is the best way to handle updates for this type of environment... wsus or what? Although this is just for a handful of sites, we do have an average of 25 + servers per site.

I was able to find some links on my own, but as I've been out of the IT part of things I haven't kept up to date as I'm sure some of you have.

Thanks in advance for any thoughts/recommendations!

X

 

[GrimR]

Having 25 servers per site I would have been using WSUS a long time ago, don't know why it's taken you this long to implement it, I suppose thats why some companies still run NT, if it ain't broke don't fix it.
And do check that any updates being installed are tested, they can cause problems.

 

[Xaqte]

GrimR,
Glad to hear WSUS is the best plan of action.

I'm still having problems finding rock solid links supporting/recommending turning off the automatic updates.

 

[GrimR]

I'm still having problems finding rock solid links supporting/recommending turning off the automatic updates

I don't think you will, updates are there to patch holes /files that allow hackers or viruses to enter your system. Including any updates that may benefit you e.g Service Packs

 

[itsp1965]

I understand your concern, but as the other folks have indicated there are reasons for deploying patches which is to secure your server. This especially rings true with Web servers which are particularly vulnerable
I would recommend that you come to a compromise with your sysadmins. Usually before we deploy patches we test on the environments we deploy them to. Is it possible for you to setup a test webserver that mirrors your production, whereby you can have the patches tested first and the bring up your concerns with your sysadmins if there are any issues.

 

[Xaqte]

Thanks for the support guys! I did manage to find one link, but I'm still on the lookout for more:

CYA Securing IIS

 

[Davetoo]

You won't find any rock solid links supporting the disabling of updates because it's not a very smart thing to do.

You've already been advised of the best method, deploying a WSUS server. Establish a GPO that forces your servers to pull their updates from the WSUS server so that you can control the updates, i.e. test them first.

You seem to have come here with a preconceived notion of what's right and wrong and now don't want to accept that your not taking the proper route for this issue. I suggest you take a step back and understand why updating your servers, especially web servers, is so important and that turning off updates (i.e. not updating them) is the exact opposite of what you should be doing.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[Xaqte]

I agree the proper route is to use WSUS. But the use of this is the better alternative to just having automatic updates turned on. I wasn't looking for links supporting just the turning off the updates, but turning them off for a better alternative.

 

[Davetoo]

Who are you trying to convince of this? Any Network Admin worth his salt knows that WSUS is the best option we have right now.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[Xaqte]

Everyone needs convincing, and as far as the admins knowing their salt... this is a low-sodium environment!

 

[cpjust]

I always disable Automatic Updates on all my systems because I don't want Automatic Update to reboot my system without asking me. But then again, all my systems are QA & Development systems not exposed to the outside.